Fine-Grained MSR Specifications for Quantitative Security Analysis

1
Fine-Grained MSR SpecificationsforQuantitative
Security Analysis

• Iliano Cervesato iliano_at_itd.nrl.navy.mil
• ITT Industries, inc _at_ NRL Washington, DC
• http//theory.stanford.edu/iliano/

Security Analysis of Protocols _at_ DIMACS
July 9, 2004
2
Qualitative (Dolev-Yao) Analysis

• Classifies protocol operations in
• Possible (Dolev-Yao)
• Reception/transmission
• Crypto with key,
• Impossible
• Guessing keys
• Breaking crypto,
• Security assessed only on possible ops
• Easily achieved by most current tools
• What next?

Easy(polynomial)
Hard(exponential)
3
Analysis beyond Dolev-Yao
D a t a
Symbolic
Bit-oriented
Perfect
More ops- xor- DH,
Crypto
Type confusion
Guessing
Probabilistic
Crypto hybrid- probability- complexity
Cost-aware
Real
4
Cost-Aware Security Analysis

• Assign cost to operations Meadows,01
• Including non Dolev-Yao
• Discrete logarithm, factoring,
• (Verifiable) guessing Lowe,02
• Principal subversion,
• Applications
• Estimate actual resources needed for attacks
• Resources limitation (smart cards, PDAs, )
• DoS resistance assessment
• Comparing attacks or protocols

5
Outline

• Protocol specification
• MSR ? Fine-Grained MSR
• Technique applies to other languages
• Traces and Scripts
• Cost Model
• Operations ? Scripts
• Cost-aware Security
• Threshold analysis
• Comparative analysis

6
MSR
Advertisement

• Executable protocol specification language
• Theoretical results
• Decidability
• Most powerful intruder,
• 3 generations already
• MSR 1 (here)
• MSR 2 1 strong typing
• MSR 3 2 w-multisets
• Based on MultiSet Rewriting
• Foundations in (linear) logic
• Ties to Petri nets and process algebra

• Practice
• Kerberos V
• Implementation underway

7
Multiset Rewriting

• Multiset set with repetitions allowed
• a,b,c ? a,a,b,c,c,c
• Rewrite rule
• r N1 ? N2
• Application

M1 ? M2
state
M, N1 ? M, N2
8
with Existentials

• msets of 1st-order atomic formulas
• Rules
• r F(x) ? ?n. G(x,n)
• Application

M1 ? M2
M, F(t) ? M, G(t,c)
c not in M1
9
Traces and Scripts

• Traces
• Rewrite sequence (r1,q1),,(rn,qn) from M0 to Mn
• Rules ri
• Substitutions qi
• Scripts
• Parametric traces
• S, (r,x)
• S1 S2
• !n S
• Normal run SNR
• Attack scripts SA

Vitalys symbolic traces
10
MSR for Security Protocols

• Messages
• A, k, n, Princ., keys, nonces,
• mk, (m,m), Encryption, concat.,
• Predicates
• N(m) Network messages
• M(t1,,tn) Public data
• MA(t1,,tn) Private data
• I(m) Intruder info.
• Lv(t1,,tn) Local states

11
Example
A ? B nA, AkB B ? A nA, nBkA A ? B nBkB

• Needham-Schroeder protocol
• Initiator role

PrvKA(kA,kA),PubK(B,kB), L(kA,kA,kB,nA),N(
nA,AkB)
PrvKA(kA,kA), PubK(B,kB)
?    ?nA.
L(kA,kA,kB,nA), N(nA,nBkA)
?
N(nBkB)
12
Preparing for Cost Assignment

• Isolate operations
• Verification
• Success
• Failure
• Construction
• Apply rule in stages
• Pre-screening
• Detailed verification

• Split LHS into atomicsteps
• Allow failure

13
Fine-Grained MSR (1)

• Rules
• Clean-up lhs ? rhs else cr
• Predicates
• Registers Rv(m)
• Headers Nh(m)
• Phased execution
• Select rule based only on predicates
• Verify if arguments match
• Allow failure

14
Fine-Grained MSR (2)

• Verification rules
• Nh(x) ? R(x)
• Lv(x) ? R(x)
• R(y), R(opy(x)) ? R(x) else cr
• R(x), R(x) ? . else cr
• R(x) ? R(m)
• Construction rules
• Remain the same

15
Fine-Grained Intruder
I(g), I(gx) ? I(x)

• Dolev-Yao style
• Subversion Guessing

• Nh(x) ? I(x)
• M(x) ? I(x)
• I(y), I(opy(x)) ? I(x)

• I(x) ? Nh(x)
• . ? ?x. I(x)
• I(x) ? I(op(x))

• . ? X(A)
• X(A) ? .
• X(A), MA(x) ? X(A), I(x)

? G(x) ? V1(m1) ? V2(m2) G(x), V1(y), V2(y)
? I(x)
16
Cost

• S vtA
• t cost type
• Time, space, energy,
• A principal incurring cost
• v amount of cost
• Physical measurements
• 0 / ? (Dolev-Yao model)
• Complexity classes

17
Assigning Cost Basic Operations

• Network
• Storage
• Operations
• Construction
• Successful verification
• Failed verification
• Subversion
• Guessing
• Various ways

• Supportsvery highprecision
• Difficultydepends onprecision
• Possiblysubjective

18
Assigning Costs Traces Scripts

• Traces k(T)
• Add up basic costs
• Monotonic costs time, energy,
• Non-monotonic space,
• Scripts k(S)
• Interval arithmetic
• Script alternative

19
Quantitative Security Analysis

• A model checking view
• Explicit state MC
• Direct
• Symbolic MC
• Via encoding

20
Threshold Analysis

• k(SNR) ? kHW/HCI ?
• Cost of normal run acceptable?
• PDAs, cell phones,
• k(SA) ? kI ?
• Cost of attack/defense acceptable?
• Cost of candidate attack vs. resources
• Non Dolev-Yao operations
• min x. k(SA(x)) ? kI ?
• Design protocol
• Fine-tuning parameters

21
Comparative Analysis

• k(SA1) ? k(SA2) ?
• Comparing attacks
• Protocol can always be attacked
• k(SP1) ? k(SP2) ?
• Comparing protocols
• kB(SA) ? kI(SA) ?
• Comparing attack and defense costs
• Denial of Service
• Tit for tat Carl Gunter

22
Typical Client/Server Exchange
Server
Client
request
scq
tcq
ssq
tsq
challenge
scc
tcc
ssc
tsc
? T
response
scr
tcr
-(ssqssc)
tsr
ok
sco
tco
0
tso
? B
23
Time DoS
?

• Service rate 1/tsq
• Usually dominated by networking costs

?
tsq
q

• Service rate
• 1/(tsq tsc)
• Attack rate
• 1/tcq

tcq
tsq

c
0
tsc
q

• Service rate
• 1/(tsq tsc tsr)
• Attack rate
• 1/tcq

tcq
tsq

Betterattack
c
0
tsc
?
?
tsr
24
Space DDoS
q
0
ssq
tcq
tsq
c
0
ssc
0
tsc
? T
?
tsr
0
-(ssqssc)
?
? B

• Max concurrent requests
• n(B) B / (ssq ssc)
• Optimal time-out
• tmin ? T
• T ? (tsq tsc) (n(B) 1)
• Example
• ssq ssc 128 b
• tsq tsc 100 ms
• tmin 90 s
• n(B) 10,000

Space
B
n(B) - 1
ssc
1
ssq
B 1.28 MbT ? 16 min
Time
tsq
tsc
tsr
? T
25
Conclusions

• Quantitative protocol analysis
• Cost conscious attacks (non Dolev-Yao)
• Fine-Grained specification languages (MSR)
• Related work
• C. Meadows Cost framework for DoS
• G. Lowe guessing attacks
• D. Tomioka, et al cost for spi-calculus
• Future work
• Attack costs WEP
• DoS aware protocols JFK, client puzzles, bins
• Protocol analysis as optimization problem
• Economics of network security
• Complexity-based costs and mixing probability